Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 22 Oct 2017 01:41:29 +0300
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Subject: LAME 3.100 released with security fixes

Hello,

LAME 3.100 has been released including fixes to security vulnerabilities.
Coy-paste from history:

Rogério Brito

- Don't include the debian directory as one that is needed during builds. Patch
taken from Debian's packaging of lame.

- Resurrect Owen Taylor's code dated from 97-11-3 to properly deal with GTK1.
This was transplanted back from aclocal.m4 with a patch provided by Andres
Mejia. This change makes it easy to regenerate autotools' files with a simple
invocation of autoconf -vfi.

- Fix possible race condition causing build failures in libmp3lame. Discovered
in automated builds by the Debian project with patch provided by Andres Mejia.

Robert Hegemann

- Improved detection of MPEG audio data in RIFF WAVE files. Tracker item [
3545112 ] Invalid sampling detection

- New switch --gain <decibel>, range -20.0 to +12.0, a more convenient way to
apply Gain adjustment in decibels, than the use of --scale <factor>.

- Fix for tracker item [ 3558466 ] Bug in path handling

- Fix for tracker item [ 3567844 ] problem with Tag genre

- Fix for tracker item [ 3565659 ] no progress indication with pipe input

- Fix for tracker item [ 3544957 ] scale (empty) silent encode without warning

- Fix for tracker item [ 3580176 ] environment variable LAMEOPT doesn't work
anymore

- Fix for tracker item [ 3608583 ] input file name displayed with wrong
character encoding (on windows console with CP_UTF8)

- Fix for bug ticket [ #447 ] Fix dereference NULL and Buffer not NULL
terminated issues. Thanks to Surabhi Mishra

- Fix for bug ticket [ #445 ] dereference of a null pointer possible in loop.
Thanks to Renu Tyagi

- Fix for bug ticket [ #449 ] Make sure functions with SSE instructions
maintain their own properly aligned stack. Thanks to Fabian Greffrath

- Fix for bug ticket [ #458 ] Multiple Stack and Heap Corruptions from
Malicious File. Thanks to Gareth Evans and Elio Blanca

- Fix for bug ticket [ #460 ] A division by zero vulnerability. Thanks to Wang
Shiyang, Liu Bingchang

- Fix for bug ticket [ #461 ] CVE-2017-9410 fill_buffer_resample function in
libmp3lame/util.c heap-based buffer over-read and ap

- Fix for bug ticket [ #462 ] CVE-2017-9411 fill_buffer_resample function in
libmp3lame/util.c invalid memory read and application crash

- Fix for bug ticket [ #463 ] CVE-2017-9412 unpack_read_samples function in
frontend/get_audio.c invalid memory read and application crash

- Fix for bug ticket [ #434 ] clip detect scale suggestion unaware of scale
input value

- HIP decoder bug fixed: decoding mixed blocks of lower sample frequency Layer3
data resulted in internal buffer overflow (write). Thanks to Henri Salo

Alexander Leidinger

- Feature request, patch ticket [ #27 ] Add
lame_encode_buffer_interleaved_int() by Michael Fink

-- 
Henri Salo

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.